Tag Archives | windows xp

Blank Windows Screen or ISAPNP.sys Hang = A Zero Bytes .Sys Driver

I had one hell of a mystery on my hands the other day.  A client called me and said she had a blank screen every-time she booted up her Windows XP computer.  I was pretty busy, so I told her I’d pick it up and work on it over the weekend.  I just figured it was a bad vid card or a corrupted Windows XP install.

Here are the things I tried:

  1. Full Scans using my UBCD4WIN…nothin found…
  2. I tried to load safe-mode but it hung on isapnp.sys everytime.
  3. I ran checkdisk /r
  4. I did an in-place Windows XP repair

….nothing would work.

As I was doing a visual check for standard Windows XP drivers I discovered there was a randomly named zero kb .sys file in c:\windows\system32\drivers.  I simply deleted the file and the PC booted up completely normal.

I just wanted to put this out there because it looks like it’s something new.  I’m not sure if it affects other versions of Windows or not.

Continue Reading · 13

New Rootkit Patches MOUSE.DRV

I ran across 2 rootkits this week that hid inside of Mouse.drv (in Windows\System32).  Both PC’s had CPU’s pegged to 100% from 2 processes running at 50% each.  The processes were svchost.exe and services.exe.

I tried to run GMER and Combofix in safemode, but neither would finish their scans.  Eventually I had to use my UBCD and Avira found 1 infection…mouse.drv.  I deleted mouse.drv and copied another from the Windows XP disc.

I have no idea what this rootkit did (except to piss me off), I suppose I’ll try and find another and upload it to virustotal.com

Continue Reading · 7

Atapi.sys Rootkit is EVERYWHERE!

Man…every client I’ve seen for the past 2 weeks who was infected with malware also had this Atapi.sys rootkit.  I know I’ve written about this about 2 weeks ago, but I wanted to keep this fresh.  If you’re searches are getting redirected and you’ve scanned with just about every thing you can think of then there’s a pretty good chance your atapi.sys has been patched (Microsoft Security Essentials detects a spawned dll from this rootkit…I think it’s called AlureonCT).

One easy way to find out if you have a patched Atapi.sys is to run the latest copy of GMER Anti-RootKit.  Upon opening GMER it will run a very fast quick scan.  If you see any entries like \DEVICEHARDDISK\Atapi (something like that) or Atapi.sys “suspicious modification” (especially this one) then your probably dealing with a very nasty rootkit.

For clients that run Windows XP I’ve just been using Combofix (Combofix disinfects Atapi.sys).  For other operating systems (32-bit) I’ve just been using a bootable anti-malware disc (bartpe) and replacing atapi.sys with one from the Windows disc.

Continue Reading · 24